Versions Compared

Old Version 5

changes.mady.by.user Patricia Donohue

Saved on

compared with

New Version 6

changes.mady.by.user Patricia Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Release Schedule

Description

Date

Release No.

1.8.0.0

Pilot Release Date & Time

February 6, 2018 

Production Release Date & Time

February 8, 2018

Type

Technical Update (Bug fixes, version upgrade, some feature enhancements)


DescriptionLink

Applications

CCC SSO Proxy

Enabling Services Transition Plan

Link to ES Plan

Operational Support Plan

Link to Support Plan

Communication Plan

Link to Comm Plan

Integration Status Spreadsheet

Link to Status Spreadsheet


Table of Contents

Table of Contents
maxLevel2
minLevel2
absoluteUrltrue

Release Summary

Below is a summary of the enhancements and bug fixes that were released during the SSO Proxy version upgrade (1.8.0.0) across all environments on Feb 6 (Pilot) and Feb 8, 2018 (Prod).   

  • Bring all environments to the latest version of the sso proxy code (Version 1.8.0.0
  • A series of user and technical enhancements 
  • A couple of bug fixes

(See Release Scope for items).


Back to Top

One way we can keep spammers from submitting fraud apps through CCCApply is to trigger an error message at the point of submission IF the application submission time is less than 90 seconds from the start time. If the system detects that the time to completion is less than 90 seconds, the error message will appear and block the app from being submitted
However, if by chance a legitimate applicant is able to complete an application in less than 90 seconds, a call to the Helpdesk will advise the student to wait 47 minutes and they will be able to submit without further delay. In addition, if we find that there are multiple instances of legitimate students encountering the spam prevention error, we can quickly change the time that the error is triggered (hence, configuring the change to meet the needs of colleges and students).
No action is required by the colleges; however


SSO Proxy Update:  What is being updated in this release? 

Below is a list of the enhancements and bug fixes that were included in the SSO proxy 1.8.0.0 version upgrade are short summary explanations of the enhancements and bug fixes that were released during the SSO Proxy version upgrade (1.8.0.0) across all environments on Feb 6 (Pilot) and Feb 8, 2018 (Prod).   

  • Bring all environments to the latest version of the sso proxy code (Version 1.8.0.0
  • A series of user and technical enhancements 
  • A couple of bug fixes

(See Release Scope for items).

Back to Top

What is are the new enhancements being deployed?Over the past year, a number of colleges have reported fraudulent applications being submitted through CCCApply. Thanks to the diligent efforts of these colleges in identifying and providing examples of these applications to the Tech Center, we began working with a data analysis research team who specialize in machine learning algorithms and have kicked off a research and development project and started a pilot project with four colleges.

Who benefits from these enhancements?

Over the past year, a number of colleges have reported fraudulent applications being submitted through CCCApply. Thanks to the diligent efforts of these colleges in identifying and providing examples of these applications to the Tech Center, we began working with a data analysis research team who specialize in machine learning algorithms and have kicked off a research and development project and started a pilot project with four colleges.

The goal of the R&D project is to develop a spam filter tool that - based on the machine learning algorithm - flags probable fraud applications and moves them to a "suspend" folder, allowing colleges to review and remove bad applications before they reach their download file. Development is underway now and we plan to release the tool and the admin user-interface to production by June 2018.  Until then, we will continue our efforts to prevent fraud through CCCApply by identifying trends and putting development in place to further thwart fraudulent behavior. 

What are the priority bug fixes?

One way we can keep spammers from submitting fraud apps through CCCApply is to trigger an error message at the point of submission IF the application submission time is less than 90 seconds from the start time. If the system detects that the time to completion is less than 90 seconds, the error message will appear and block the app from being submitted.  

Who benefits from the bug fixes?

Highlights: Features & Benefits 


In addition to bringing all development and production environments up to the latest version of the CCC SSO proxy, several end-user enhancements and bug fixes are being deployed that will benefit students and college faculty and staff.  


CCCID Validation 

Needed to Support Colleges & Students Implementing the Proxy 
The need for this CCCID validation page is based on Matt's experience working closely with both the colleges as part of the "IdP proxy integration" in general; and also supporting the colleges (and students) with a preparatory step to get students' who aren't passing their CCCID with the college's IdP - through the CCCID account creation or account recovery process before/independently of actually going to Canvas or Course Exchange and having to deal with this process on the way.

Zero Downtime Config Change 
Deploying this page would be the responsibility of Franz' team and he's ensured us it would be a zero downtime deployment (not even a server restart - just a configuration change to direct students to this process via a URL that Matt would pass out to colleges and/or Support could use for students, if needed).




What are the priority bug fixes and who benefits from them?




No action is required by the colleges to implement these enhancement and fixes above and beyond the requirement for all colleges to integrate their college or district IdPs with the CCC SSO proxy.

If your college has not yet completed the CCC SSO Proxy integration process, please contact Matt Schroeder, CCCTC Systems Admin Engineer, mschroeder@ccctechcenter.org - however if you would like to discuss the details of this implementation with the CCCApply product manager, please contact Patty Donohue at pdonohue@ccctechcenter.org.


Back to Top

Release Scope

Release

Type

Jira

Short Description - Please read carefully to determine if this change might negatively impact your application
Release 1.6.0Enhancement

CCCINFRA-844 - Make student check in eduPersonAffliation case insensitive

Though the eduPerson specification uses all lower case characters for their eduPersonAffiliation permissible values, e.g. faculty, student, staff, alum, member, affiliate, employee, library-walk-in, some college/district IdPs are sending mixed case, e.g. Student.

This enhancement converts all eduPersonAffiliation values to lower-case before sending them on as attributes to the downstream SP.


Enhancement

CCCINFRA-845 - Send RelayState Information if configured for the destination IdP

This enhancement facilitates MyPath IdP initiated logins through the OpenCCC IdP.  In the case of the OpenCCC IdP only, the Proxy includes the initial RelayState so that information is not lost and can be used to ultimately redirect the user back to MyPath.
This is a limited use case and should rarely if ever be used by other applications.
Release 1.7.1Enhancement

CCCINFRA-836 - Add CCCID/eppn mapping when CCCID is passed in SAML

Currently, if a college/district IdP include the CCCID as an attribute, it is not added to the, per environment, eppn-cccid map. The map is only updated if a CCCID is NOT included and the user is detoured to OpenCCC to retrieve it.

This enhancement captures CCCIDs sent by the college/district IdPs and adds them to the map so that the map is updated in both cases.


Enhancement

CCCINFRA-841 - Pass miscodes associated with authsource in authsources_<env>.json as new SAML attribute

To satisfy this enhancement, the proxy now adds a new SAML attribute,

https://www.openccc.net/saml/attributes/cccMisCodes

available to downstream SPs that includes an array of the MisCode(s), e.g. 310, 311, 312, 313, of the authenticated college/district IdP.


Enhancement

CCCINFRA-842 - Include authsource as a SAML attribute

To satisfy this enhancement, the proxy now adds a new SAML attribute,

https://www.openccc.net/saml/attributes/cccAuthSource

available to the downstream SPs that includes an the authsource, e.g. MIS310, of the authenticated college/district IdP.


Enhancement

CCCINFRA-843 - Validate CCCID value passed by College/District IdPs

The CCCID is defined in OpenCCC to be a string consisting of 3 upper-case characters and 4 numbers from 0-9 inclusive.  Early Proxy testing showed that some college/district IdPs were sending bogus CCCIDs along in the SAML attributes.

This enhancement implements a basic validation test against the inbound CCCID attribute and, if it fails, detours the user to OpenCCC to retrieve just as in the case that the attribute was not included.

Release 1.8.0EnhancementCCCINFRA-847 - Upgrade Proxy core to SimpleSAMLphp 1.14.17

The current release of the SSO Proxy is based on the SimpleSamlPHP core version 1.14.3.  Several security patches have been released since then.

This enhancement upgrades the SimpleSamlPHP core version to 1.14.17.


EnhancementCCCINFRA-925 - Change Proxy to not redirect users with 'student' eduPersonAffliation to OpenCCC if destination SP is Jasper Reports or CCCAdmin

During initial testing, some college/district personnel are designated in their directory with eduPersonAffiliation values that include student and staff.   If these users try to go through the Proxy to, say the OpenCCC Admin page, and their college/district does not send a CCCID, they are detoured to OpenCCC to retrieve it.

This enhancement implements a configurable "whitelist" of SP entity IDs that, even if the inbound attributes do not include the CCCID, are excluded from the detour to OpenCCC.  This list is currently limited to OpenCCC Admin and OpenCCC JasperReports.

NOTE:  12.13.17 - Patty added to the scope of this requirement by expanding the whitelist of SP entity IDs to include additional destinations (Canvas LMS entity IDs for each college, Admin2, Jasper, DW, etc.)


BUGCCCINFRA-946 - Always defaulting to redirect to Canvas Prod environment after redirecting from OpenCCC

When testing Canvas integration with the Proxy, it was noted that,

  1. if the initial request was for the Canvas beta site and
  2. if a CCCID was not included in the inbound attributes and therefor the user was detoured to OpenCCC to retrieve it the ultimate destination was the Canvas prod site, even though the initial target was the Canvas beta site.

This enhancement adds logic to capture the initial destination, prior to the detour, and ultimately redirects the user back to that destination.


Enhancement

CCCINFRA-964 - Change config.php logging from DEBUG to INFO in Prod

Currently, the Proxy in production is configured with log level DEBUG.  Due to the traffic in production, this results in the log disk partition filling with regularity.

This enhancement changes the logging configuration for the production environment from DEBUG to INFO to cut down on verbose logging.




Add existing CE ticket for the Session Time-Out Issue

Patty can check with Ashwini on the CE ticket

Add to this release plan


Enhancement

CCCINFRA-958 - Update Proxy College IdP Search Page to remove text "Identity Provider" from each college/district that returns in search type ahead box

On the college picker page of the Proxy, the string "Identity Provider" is appended to the current descriptions for each college/district IdP. This has been deemed confusing to the users.

This enhancement removes that string.

Accessibility Note: Includes changes to College Picker page


EnhancementCCCINFRA-959 - Implement ability for user to find their college on the Proxy IdP search page even if the college uses a district level IdP

Currently, if a college rolls up under their district IdP, the college name does not appear in the selection list on the college picker page.

This enhancement lists every college and, if it rolls up to a district IdP, when it is selected the user is redirected to the district IdP as if they had chosen the district IdP from the selection list.

Accessibility Note: Includes changes to College Picker page


EnhancementCCCINFRA-987 - Remove deprecated configuration parameters from config.phpThis is a de-clutter enhancement to remove deprecated configuration parameters from the Proxy's config.php.  It should not impact any application using the Proxy.

EnhancementCCCINFRA-988 - Create an /index.php landing page for proxy to handle proxy session timeout scenarios

This enhancement stems from CIP-688.  If a user initially hits the proxy and is redirected to their college/district IdP per the normal flow, if they take longer to authenticate than then timeout set in CIP-688 they will be sent to this Proxy session timeout page.

Accessibility Note: Includes Session Timeout error page


Accessibility EPICCIP-708 - Accessibility ReviewMain ticket for all accessibility issues in this release

Accessibility

 CIP-713 Color contrast on General Error Page

 CIP-714 Image alt attribute is redundant
 CIP-715 Page heading starts at H3


EnhancementCE-2205 Rework Student User Experience for Session TimeoutsSome SAML2 SP implementations, including the one used by Course Exchange, honor the SessionNotOnOrAfter attribute which is currently set to to the same duration as the Proxy session timeout.  This enhancement allows us to control that attribute setting independently from the Proxy session timeout.

Out-of-Scope

Jira

Short Description - Please read carefully to determine if this change might negatively impact your application
CCCINFRA-862 - Improve error page when user logs in and proxy session has expiredPulled out of the 1.8.0 release–this is a low priority.
CIP-688 - Change Proxy session timeout 

Pulled this out of the 1.8.0 release due to issues identified during testing in TEST. 

This was the quick fix for the session time-out issue.  See CCCINFRA-839


The Pilot Proxy

Getting to the Pilot Proxy


PILOT Application

NEW PILOT Application URL







Documentation

The following links point to the most current versions of the CCC SSO Proxy documentation.

Description

Version

Link

ReleaseDate Published
CCC SSO Federation
CSF

CCC SSO Proxy Integration Steps
Steps to Integrate with the CCC SSO Proxy


Back to Top